Commissioner for Information of Public Importance and Personal Data Protection has issued long-awaited Decision on Determining Standard Contractual Clauses which will enter into force on 30 January 2020.
These Standard Contractual Clauses (hereinafter: “SCCs”) consist of rights and obligations which regulate relations between the controller and processor of personal data and their main purpose is to ensure a sufficient protection of data that is being transferred internationally.
When to use SCCs
Both General Data Protection Regulation and Serbian Act on Personal Data Protection require the relations between controller and processor to be regulated by contract or other legal act in such a way that personal data remains protected at all times, regardless of whether the controller and processor transfer data domestically or internationally.
However, as per Serbian Act on Personal Data Protection, if personal data is being transferred to a third country or international organization for which the Serbian Government has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question does not ensure an adequate level of protection, such transfer shall be subjected to prior authorization from the Commissioner for Information of Public Importance and Personal Data Protection, unless appropriate safeguards are provided and that enforceable data subject rights and effective legal remedies for data subjects are available. One of the ways to provide appropriate safeguards and circumvent the prior approval procedure is to incorporate SCCs into contracts between the controller and the processor on the condition that they are incorporated in their entirety. In that way, it shall be considered that the appropriate safeguards are ensured.
To summarize, SCCs should be incorporated into every contract between the controller and the processor if the personal data is being transferred to a country, territory, one or more specified sectors of the country or international organization that according to a decision of Serbian Government does not ensure an adequate level of protection for personal data.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
By Katarina Zivkovic, Senior Associate, and Dragan Martin, Associate, Samardzic, Oreski & Grbovic